CVE-2026-40517
radare2 < 6.1.4 Command Injection via PDB Parser Symbol Names
In short
radare2's PDB file parser doesn't properly sanitize symbol names, allowing attackers to inject malicious commands. If you open a crafted PDB file, an attacker can execute arbitrary commands on your system.
Technical detail
The PDB parser's print_gvars() function contains a command injection vulnerability (CWE-78) where newline characters in symbol names bypass sanitization in flag rename operations. Attackers can inject radare2 commands that are executed via the shell operator when processing a malicious PDB file, leading to arbitrary OS command execution with user privileges.
Summary generated and translated by AI from the official description.
radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
radareorg · radare2public PoCs found — 1
cve_referenceblog.calif.io/p/mad-bugs-discovering-a-0-day-in-zerounverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →